Moving from one brand of gateway firewall to another is proving to be a daunting task that corporate customers say takes six or more months because of a lack of industry standards and dearth of migration tools.
While shifting from one brand of any sort of network equipment to another can be trying, security experts say exchanging gateway firewalls is particularly challenging. The big problem is that vendors generally define access-control rules so differently that migrations need to be conducted largely on a manual basis.
“There really are no export/import utilities, and it’s that way across the industry,” says David Arbo, director of security at Oakland global shipping company APL, which has spent a year transitioning its dozen Check Point-based Nokia gateway firewalls to the Symantec Gateway Security (SGS) appliance.
APL, with about 10,000 network users, had to rewrite its access-control rules for them to work with the SGS.
To help with that transition, migration tools and services from third parties exist, though they can be pricey. Such tools from firewall vendors are sparse, but Cisco has something in the works and offers consulting.
The Smithsonian Institute, which maintains a private global network for about 9,000 users worldwide, pretty much made a firewall shift on its own.
“It’s taken us six to eight months to clean up the old rules,” says Leonard Butler, network security engineer, about swapping out three-decade-old Cisco PIX gateway firewalls for Check Point’s Next Generation firewalls. “That’s all I do.”
Some firewall vendors acknowledge that network managers are mainly left to their own devices.
“Among the vendors, everyone approaches the rules base slightly differently,” says Dean Ocampo, product marketing manager at Check Point, which offers no tools to assist the migration process.
Some users try the script-based approach to convert old rules to new ones in the target firewall, but he warns buyers to beware. The conversion is a slow process, with six months being realistic, though using third-party modeling tools can help, Ocampo says.
Meanwhile, Cisco recommends that customers look into using products from Solsoft, one of the few vendors with tools that help in the firewall rules-conversion process.
Solsoft’s Policy Server can be used to manage multi-vendor firewall environments and includes a rules translation component, says Domenick Lionetti, vice-president of sales at the company. But the tool, also offered in a scaled-back stand-alone version called Firewall Manager for small to midsize companies, doesn’t cover the full range of firewalls.
Lionetti also recommends customers carefully review the converted changes rather than simply exporting them to the target firewall.
Skybox Security is another third-party provider. It takes a different approach with its Assure product, which is designed as a “virtual staging environment” for analyzing and comparing network changes by running simulation tests for purposes of security. But Skybox Assure is expensive, starting at US$75,000.
While no one ever claimed firewall migration was easy, it’s grown considerably harder over the past three years, says Amit Patel, director of product marketing and security management at Cisco.
He recommends that network professionals document their firewall configurations and access rules as comprehensively as possible before migration.
“It’s a common experience that there’s no external documentation. But for the few that have this, the move has been fairly graceful.”